File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (55 lines) | stat: -rw-r--r-- 2,497 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
summary: Ensure the default policy is correct for base and core bases

details: |
    Ideally we would check that:
    
    1. 'base: core' can access a core-only rule that 'base: other' cannot
    2. 'base: other' can access a base-only rule that 'base: core' cannot
    3. both can access something allowed by common rules
    
    While there are no core-only rules at this time for '1', we can at least
    test that 'grep --version' (differently allowed by core-only and
    base-only rules) does not get blocked. Combined with '2', this proves
    that that the 'base: core' snap has core-only policy but not base-only
    policy. Until we have a core-only rule that can be tested here, we'll
    rely on unit tests to ensure that base snaps don't have core-only rules).

prepare: |
    echo "Given basic snaps are installed"
    "$TESTSTOOLS"/snaps-state install-local test-snapd-sh-core
    "$TESTSTOOLS"/snaps-state install-local test-snapd-sh-core18

    # test-snapd-core18 is only available on amd64
    if os.query is-pc-amd64; then
        "$TESTSTOOLS"/snaps-state install-local test-snapd-sh-other18
    fi

execute: |
    # technically only apparmor file mediation is needed but strict is what
    # guarantees it is in use
    if [ "$(snap debug confinement)" != strict ]; then
        exit 0
    fi

    # 'grep' is allowed explicitly in core rules and via glob rule in base
    # rules
    echo "Then 'grep --version' is allowed by core"
    test-snapd-sh-core.sh -c 'grep --version' 2>&1 | NOMATCH "Permission denied"
    test-snapd-sh-core18.sh -c 'grep --version' 2>&1 | NOMATCH "Permission denied"

    echo "Then a common rule should succeed with either base"
    test-snapd-sh-core.sh -c 'grep root /etc/passwd' 2>&1 | MATCH "root:"
    test-snapd-sh-core18.sh -c 'grep root /etc/passwd' 2>&1 | MATCH "root:"
    if os.query is-pc-amd64; then
        test-snapd-sh-other18.sh -c 'grep root /etc/passwd' 2>&1 | MATCH "root:"
    fi

    # 'ls' is allowed explicitly in core rules and via glob rule in base rules
    # so fail with core if EPERM on exec of /bin/ls and fail with base if EPERM
    # on anything.
    echo "But a base-only rule should only pass with non-core base"
    test-snapd-sh-core.sh -c 'ls -l /var' 2>&1 | MATCH "'/var': Permission denied"
    test-snapd-sh-core18.sh -c 'ls -l /var' 2>&1 | MATCH "'/var': Permission denied"
    if os.query is-pc-amd64; then
        test-snapd-sh-other18.sh -c 'ls -l /var' 2>&1 | NOMATCH "Permission denied"
    fi